[PATCHES] Fix wfb wrapping problem

Aaron Plattner aplattner at nvidia.com
Wed Aug 1 14:48:47 PDT 2007 

I'm sending this to the list as per the "code slush" policy.  These changes
wait to unwrap a drawable until after the drawable's pointer is used,
avoiding corruption and/or crashes.

-- Aaron


>From 074f678a65e3554eecf645633710ebffa619b15c Mon Sep 17 00:00:00 2001
From: Aaron Plattner <aplattner at nvidia.com>
Date: Wed, 1 Aug 2007 14:16:55 -0700
Subject: [PATCH] Return a bool from pixman_image_unref.

Returns TRUE when the refcount reaches 0 and the image is freed.
---
 pixman/pixman-image.c |    7 ++++++-
 pixman/pixman.h       |    2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index ca186a3..2cbf88c 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -106,7 +106,8 @@ pixman_image_ref (pixman_image_t *image)
     return image;
 }
 
-void
+/* returns TRUE when the image is freed */
+pixman_bool_t
 pixman_image_unref (pixman_image_t *image)
 {
     image_common_t *common = (image_common_t *)image;
@@ -146,7 +147,11 @@ pixman_image_unref (pixman_image_t *image)
 	    free (image->bits.free_me);
 	
 	free (image);
+
+	return TRUE;
     }
+
+    return FALSE;
 }
 
 /* Constructors */
diff --git a/pixman/pixman.h b/pixman/pixman.h
index bd6045f..5c64d44 100644
--- a/pixman/pixman.h
+++ b/pixman/pixman.h
@@ -450,7 +450,7 @@ pixman_image_t *pixman_image_create_bits             (pixman_format_code_t
 
 /* Destructor */
 pixman_image_t *pixman_image_ref                     (pixman_image_t               *image);
-void            pixman_image_unref                   (pixman_image_t               *image);
+pixman_bool_t   pixman_image_unref                   (pixman_image_t               *image);
 
 
 /* Set properties */
-- 
1.5.1.6

---------------------------------------------------------------------------

>From 7ff9c49733e185dcc7f57a12791c193ce9655016 Mon Sep 17 00:00:00 2001
From: Aaron Plattner <aplattner at nvidia.com>
Date: Wed, 1 Aug 2007 14:30:03 -0700
Subject: [PATCH] Don't unwrap too early in libwfb for Composite.

Don't call fbFinishWrap until the pixman_image_t that stores the pointer is
actually freed.  This prevents corruption or crashes caused by accessing a
wrapped pointer after the wrapping is torn down.
---
 fb/fb.h        |    1 +
 fb/fbpict.c    |   23 ++++++++++++-----------
 fb/fbtrap.c    |    8 ++------
 fb/wfbrename.h |    1 +
 4 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/fb/fb.h b/fb/fb.h
index 3782fae..27b49f6 100644
--- a/fb/fb.h
+++ b/fb/fb.h
@@ -2117,6 +2117,7 @@ fbPaintWindow(WindowPtr pWin, RegionPtr pRegion, int what);
 
 pixman_image_t *image_from_pict (PicturePtr pict,
 				 Bool       has_clip);
+void free_pixman_pict (PicturePtr, pixman_image_t *);
 
 #endif /* _FB_H_ */
 
diff --git a/fb/fbpict.c b/fb/fbpict.c
index 9efa0e8..4d1ad0b 100644
--- a/fb/fbpict.c
+++ b/fb/fbpict.c
@@ -185,15 +185,11 @@ fbComposite (CARD8      op,
 	pixman_image_composite (op, src, mask, dest,
 				xSrc, ySrc, xMask, yMask, xDst, yDst,
 				width, height);
-	    
     }
-    
-    if (src)
-	pixman_image_unref (src);
-    if (mask)
-	pixman_image_unref (mask);
-    if (dest)
-	pixman_image_unref (dest);
+
+    free_pixman_pict (pSrc, src);
+    free_pixman_pict (pMask, mask);
+    free_pixman_pict (pDst, dest);
 }
 
 void
@@ -332,8 +328,6 @@ create_bits_picture (PicturePtr pict,
     /* Indexed table */
     if (pict->pFormat->index.devPrivate)
 	pixman_image_set_indexed (image, pict->pFormat->index.devPrivate);
-    
-    fbFinishAccess (pict->pDrawable);
 
     return image;
 }
@@ -379,7 +373,7 @@ set_image_properties (pixman_image_t *image, PicturePtr pict)
 	pixman_image_set_alpha_map (
 	    image, alpha_map, pict->alphaOrigin.x, pict->alphaOrigin.y);
 	
-	pixman_image_unref (alpha_map);
+	free_pixman_pict (pict->alphaMap, alpha_map);
     }
     
     pixman_image_set_component_alpha (image, pict->componentAlpha);
@@ -445,6 +439,13 @@ image_from_pict (PicturePtr pict,
     return image;
 }
 
+void
+free_pixman_pict (PicturePtr pict, pixman_image_t *image)
+{
+    if (image && pixman_image_unref (image) && pict->pDrawable)
+	fbFinishAccess (pict->pDrawable);
+}
+
 Bool
 fbPictureInit (ScreenPtr pScreen, PictFormatPtr formats, int nformats)
 {
diff --git a/fb/fbtrap.c b/fb/fbtrap.c
index e70336c..830603a 100644
--- a/fb/fbtrap.c
+++ b/fb/fbtrap.c
@@ -47,9 +47,7 @@ fbAddTraps (PicturePtr	pPicture,
     
     pixman_add_traps (image, x_off, y_off, ntrap, (pixman_trap_t *)traps);
 
-    fbFinishAccess (pPicture->pDrawable);
-
-    pixman_image_unref (image);
+    free_pixman_pict (pPicture, image);
 }
 
 void
@@ -65,9 +63,7 @@ fbRasterizeTrapezoid (PicturePtr    pPicture,
 
     pixman_rasterize_trapezoid (image, (pixman_trapezoid_t *)trap, x_off, y_off);
 
-    fbFinishAccess (pPicture->pDrawable);
-
-    pixman_image_unref (image);
+    free_pixman_pict (pPicture, image);
 }
 
 static int
diff --git a/fb/wfbrename.h b/fb/wfbrename.h
index 952512e..5ea9092 100644
--- a/fb/wfbrename.h
+++ b/fb/wfbrename.h
@@ -188,6 +188,7 @@
 #define fbWinPrivateIndex wfbWinPrivateIndex
 #define fbZeroLine wfbZeroLine
 #define fbZeroSegment wfbZeroSegment
+#define free_pixman_pict wfb_free_pixman_pict
 #define image_from_pict wfb_image_from_pict
 #define xxScrPrivateIndex wfbxxScrPrivateIndex
 #define xxGCPrivateIndex wfbxxGCPrivateIndex
-- 
1.5.1.6

More information about the xorg mailing list